cc/td/doc/product/vpn/client/rel4_0
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

User Profiles
Sample Profile Description
Modifying the Sample Profile
Creating a User Profile

User Profiles


The VPN Client uses parameters that must be uniquely configured for each remote user of the private network. Together these parameters make up a user profile, which is contained in a profile configuration file (.pcf file). User profiles reside in the default directory /etc/CiscoSystemsVPNClient/Profiles/, or in the directory specified during the VPN Client installation.

User profile parameters include the remote server address, IPSec group name and password, use of a log file, use of backup servers, and automatic connect upon startup. Each connection entry has its own user profile.


Note   User profiles for the VPN Client are interchangeable between platforms. Keywords that are specific to the Windows platform are ignored by other platforms.

This chapter describes how to create a VPN Client user profile.

To set global profiles for all users, refer to the Cisco VPN Client Administrator Guide.

Sample Profile Description

There are two ways to create a user profile:

There is only one user profile per connection.

The VPN Client software is shipped with a sample user profile. The file is named sample.pcf.

The following is an example of a sample user profile that might be shipped with your installer.

[main]
Description=sample user profile
Host=10.7.44.1
AuthType=1
GroupName=monkeys
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=gawf
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=0
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0

Modifying the Sample Profile

To modify the sample profile


Step 1   Using a text editor, open the sample user profile.

Step 2   Modify the keywords you want to change.

See your administrator for IP addresses, user name, and any security information.

Step 3   Save your new profile with a unique name in the /etc/CiscoSystemsVPNClient/Profiles/ directory.

When you use the vpnclient connect command to establish a connection, use your new profile name.



Creating a User Profile

You can create your own user profile from scratch by using any text editing program.

At a minimum, you need the following keywords listed in your profile:

Save your new profile in the /etc/CiscoSystemsVPNClient/Profiles/ directory. See your administrator for IP addresses, user names, and any security information.

Table 3-1 describes keywords that can be in a user profile. User profile keywords are not case sensitive unless indicated in the description.

Table 3-1   User Profile Keywords

Keywords Description

[main]

A required keyword that identifies the main section. Enter exactly as shown as the first entry in the user profile.

Description = String

This optional keyword describes this user profile. The maximum length is 246 alphanumeric characters.

Host = IP_Address or hostname

The hostname or IP address of the VPN device you want to connect with. The maximum length of the hostname is 255 alphanumeric characters.

AuthType = { 1 | 3 }

The authentication type that this user is using.

  • 1 is preshared keys.
  • 3 is a digital certificate using an RSA signature.

If you select AuthType 1, you must also configure the GroupName and GroupPwd.

GroupName = String

The name of the IPSec group configured on the VPN device that contains this user. The maximum length is 32 alphanumeric characters. This keyword is case sensitive.

GroupPwd = String

The password for the IPSec group that contains this user. The minimum length is 4 alphanumeric characters. The maximum is 32. This keyword is case sensitive and entered in clear text.

encGroupPwd = String

Displays the group password in the user profile in its encrypted form. It is binary data represented as alphanumeric text.

Username = String

The name that identifies a user as a valid member of the IPSec group specified in GroupName. The VPN Client prompts the user for this value during user authentication. The maximum length is 32 alphanumeric characters. This keyword is case sensitive and entered in clear text.

UserPassword = String

This password is used during extended authentication.

  • If SaveUserPassword is enabled, the first time the VPN Client reads this password, it is saved in the user profile as encUserPassword, and the clear text version is deleted.
  • If SaveUserPassword is disabled, the VPN Client deletes the clear text version of the user password in the user profile but it does not create an encrypted version.

encUserPassword = String

Displays the user password in the user profile in its encrypted form. It is binary data represented as alphanumeric text.

SaveUserPassword = { 0 | 1 }

Determines if the user password or its encrypted form are valid in the user profile.

  • 0, the default, displays the user password in clear text in the user profile and is saved locally.
  • 1 displays the user password in the user profile in its encrypted version, and the password is not saved locally.

This value is set in the VPN device, not in the VPN Client.

EnableBackup = { 0 | 1 }

Specifies to use a backup server if the primary server is not available.

  • 0, the default, disables the backup server.
  • 1 enables the backup server.

You must also specify a BackupServer.

BackupServer = IP_Address or hostname

List of IP addresses or hostnames of backup servers. Separate multiple entries by commas. The maximum length of hostname is 255 alphanumeric characters.

EnableLocalLAN = { 0 | 1 }

Allows you to configure access to your local LAN.

  • 0, the default, disables local LAN access.
  • 1 enables local LAN access.

Note    To allow local LAN access, it must be enabled on both the VPN Client and the VPN device you are connecting to.

EnableNAT = { 0 | 1 }

Specifies whether or not to enable secure transmission between a VPN Client and a VPN device through a router serving as a firewall, which might also be using the NAT protocol.

  • 0, the default, disables IPSec through NAT mode.
  • 1 enables IPSec through NAT mode.

TunnelingMode = { 0 | 1 }

Allows you to select which form of NAT transversal is used.

  • 0, the default, specifies IPSec over UDP for NAT transparency.
  • 1 specifies IPSec over TCP for NAT transparency.

You must also have IPSec through NAT enabled.

TCPTunnelingPort = { 0 | 65535 }

Sets which TCP port to use for the cTCP protocol. The default is 10000. You must also have IPSec through NAT enabled and the Tunneling Mode set for IPSec over TCP.

ForceKeepAlives = { 0 | 1 }

Allows the VPN Client to keep sending IKE and ESP keepalives for a connection at approximately 20-second intervals so that the port on an ESP-aware NAT/Firewall does not close.

  • 0, the default, disables keepalives.
  • 1 enables keepalives.

PeerTimeout = Number

The number of seconds to wait before terminating a connection when the VPN device on the other end of the tunnel is not responding. The range is 30 to 480 seconds. The default is 90.

CertStore = { 0 | 1 }

Identifies the type of store containing the configured certificate.

  • 0 = default, none.
  • 1 = Cisco.

CertName = String

Identifies the certificate used to connect to the VPN device. The maximum length is 129 alphanumeric characters.

CertPath = String

The path name of the directory containing the certificate file. The maximum length is 259 alphanumeric characters.

CertSubjectName = String

The qualified Distinguished Name (DN) of the certificate's owner. You can either not include this keyword in the user profile, or leave this entry blank.

CertSerialHash = String

A hash of the certificate's complete contents, which provides a means of validating the authenticity of the certificate. You can either not include this keyword in the user profile, or leave this entry blank.

DHGroup = { 1 | 2 }

Allows a network administrator to override the configured group value used to generate Diffie-Hellman key pairs on a VPN device.

  • 1 = modp group 1
  • 2 = modp group 2

The default is 2. The VPN Concentrator configuration for IKE Proposal must match the DHGroup in the VPN Client. If the AuthType is set to 3 (digital certificate), this keyword has no effect on the VPN Client.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu May 22 04:47:02 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.